Intermittent SSL_PROTOCOL_ERROR

f-starace · January 19, 2022, 11:45am

Hi, I have multiple containers connected through Traefik as reverse proxy in order to enable TLS. I often receive the ERR_SSL_PROTOCOL_ERROR when I try to access those services (sometimes all of them, other times just one service).

Here's my docker-compose.yaml file, it includes all the necessary configuration for Traefik as well. I removed not-inherent bits of code:

version: "3.8"
services:
  api:
    container_name: api
    ...
    networks:
      - traefik-public
    labels:
      # Enable Traefik for this specific "backend" service
      - traefik.enable=true
      # Define the port inside of the Docker service to use
      - traefik.http.services.app.loadbalancer.server.port=80
      # Make Traefik use this domain in HTTP
      - traefik.http.routers.app-http.entrypoints=http
      - traefik.http.routers.app-http.rule=Host(`api.mydomain.com`)
      # Use the traefik-public network (declared below)
      - traefik.docker.network=traefik-public
      # Make Traefik use this domain in HTTPS
      - traefik.http.routers.app-https.entrypoints=https
      - traefik.http.routers.app-https.rule=Host(`api.mydomain.com`)
      - traefik.http.routers.app-https.tls=true
      # Use the "le" (Let's Encrypt) resolver
      - traefik.http.routers.app-https.tls.certresolver=le
      # https-redirect middleware to redirect HTTP to HTTPS
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
      # Middleware to redirect HTTP to HTTPS
      - traefik.http.routers.app-http.middlewares=https-redirect

  traefik:
    # Use the latest v2.3.x Traefik image available
    image: traefik:v2.3
    container_name: traefik
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    restart: always
    labels:
      # Enable Traefik for this service, to make it available in the public network
      - traefik.enable=true
      # Define the port inside of the Docker service to use
      - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
      # Make Traefik use this domain in HTTP
      - traefik.http.routers.traefik-dashboard-http.entrypoints=http
      - traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.mydomain.com`)
      # Use the traefik-public network (declared below)
      - traefik.docker.network=traefik-public
      # traefik-https the actual router using HTTPS
      - traefik.http.routers.traefik-dashboard-https.entrypoints=https
      - traefik.http.routers.traefik-dashboard-https.rule=Host(`traefik.mydomain.com`)
      - traefik.http.routers.traefik-dashboard-https.tls=true
      # Use the "le" (Let's Encrypt) resolver created below
      - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
      # Use the special Traefik service api@internal with the web UI/Dashboard
      - traefik.http.routers.traefik-dashboard-https.service=api@internal
      # https-redirect middleware to redirect HTTP to HTTPS
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
      # traefik-http set up only to use the middleware to redirect to https
      - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
      # admin-auth middleware with HTTP Basic auth
      # Using the environment variables USERNAME and HASHED_PASSWORD
      - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
      # Enable HTTP Basic auth, using the middleware created above
      - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store the certificates
      - traefik-public-certificates:/certificates
    command:
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.https.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=my@email      
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
  strapicms:
    image: strapi/strapi
    container_name: strapicms
    ...
    labels:
      # Enable Traefik for this specific "backend" service
      - traefik.enable=true
      # Define the port inside of the Docker service to use
      - traefik.http.services.app-strapi.loadbalancer.server.port=1337
      # Make Traefik use this domain in HTTP
      - traefik.http.routers.app-strapi-http.entrypoints=http
      - traefik.http.routers.app-strapi-http.rule=Host(`cms.mydomain.com`)
      # Use the traefik-public network (declared below)
      - traefik.docker.network=traefik-public
      # Make Traefik use this domain in HTTPS
      - traefik.http.routers.app-strapi-https.entrypoints=https
      - traefik.http.routers.app-strapi-https.rule=Host(`cms.mydomain.com`)
      - traefik.http.routers.app-strapi-https.tls=true
      # Use the "le" (Let's Encrypt) resolver
      - traefik.http.routers.app-strapi-https.tls.certresolver=le
      # https-redirect middleware to redirect HTTP to HTTPS
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
      # Middleware to redirect HTTP to HTTPS
      - traefik.http.routers.app-strapi-http.middlewares=https-redirect
    networks:
      - traefik-public
    ports:
      - "1337:1337"
networks:
  ...
  traefik-public:
    external: true
volumes:
  ...
  traefik-public-certificates:

I added the A record for all the various subdomains through Digital Ocean.

I do not know if it may be relevant, but I have a CNAME redirecting to Vercel for another subdomain at app.mydomain.com.

From the Traefik Dashboard or logs I do not receive any error or warning.

I hope you can help me, I'm new to Docker and it's hard to pin-point the exact cause of the problem for such an unpredictable situation.

Topic		Replies	Views
HTTPS Redirection Default Traefik v2 docker , middleware	2	615	May 21, 2020
Help with https redirection and infinite loop Traefik v2 docker , middleware	3	2449	January 26, 2023
Cannot get http -> https redirect to work properly Traefik v2 docker , middleware	3	1868	December 12, 2019
Traefik fails to serve https endpoint inside docker Traefik v2 docker , letsencrypt-acme	3	1510	June 19, 2020
I can't set up redirect http to https Traefik v2 docker , middleware	2	141	July 1, 2024

Intermittent SSL_PROTOCOL_ERROR

Related topics